The FBI has once again demonstrated its willingness to exploit terror attacks to weaken encryption and electronic privacy. On Tuesday, the FBI served Apple with a court order demanding that the company write code to bypass key security features on an iPhone 5C belonging to one of the San Bernardino terror attackers. It turns out the FBI has been attempting to access the locked phone since recovering it following the attack in December, but cannot bypass the passcode. The order (PDF), signed by a federal judge, demands that Apple write custom code to disable security features on this single iPhone: specifically, removing a built-in time delay between incorrect passcode attempts, and disabling the feature that will wipe the phone’s contents after 10 incorrect passcode attempts. Essentially, the FBI wants to be able to “brute force” the locked iPhone with millions of passcode attempts without risk of erasing the phone’s contents, and without the process taking months or years.
Apple CEO Tim Cook responded with an “open letter” to customers that makes clear that Apple will not cooperate with the FBI’s order, describing it “an unprecedented step which threatens the security of our customers,” and calling for public discussion. Although the FBI’s order only concerns a single iPhone, Cook argues that complying with the order would set a dangerous precedent, and weaken security for all customers.
“In today’s digital world, the “key” to an encrypted system is a piece of information that unlocks the data, and it is only as secure as the protections around it. Once the information is known, or a way to bypass the code is revealed, the encryption can be defeated by anyone with that knowledge.
The government suggests this tool could only be used once, on one phone. But that’s simply not true. Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks — from restaurants and banks to stores and homes. No reasonable person would find that acceptable.” (Apple)
As Kaveh Waddell observes in The Atlantic, Apple is increasingly adopting the leading pro-privacy stance among tech companies, although opinion is divided around how much of this should be attributed to a core, altruistic belief in the importance of privacy versus a calculated attempt to be perceived as aligned with a marketplace concerned with electronic privacy. If strong public support materializes, Apple could come out of this fight looking like a champion of electronic privacy. Waddell notes, however, that Cook’s stand against the FBI could backfire if “instead of leading a rebellion against government surveillance, Apple is seen by the public to be obstructing a federal investigation into an act of terrorism.”
Tech companies and civil rights groups have already spoken out in support of Apple’s position. The Electronic Frontier Foundation (EFF) has signaled its intent to file an amicus brief in support of Apple, and the ACLU and Amnesty International have also issued statements of support.
The privacy advocacy group Fight for the Future has announced plans for rallies in support of Apple’s position at Apple Stores across the country on Tuesday February 23. For details, visit the Facebook page or campaign website at dontbreakourphones.org. Capitalizing on the immediate public outcry, EFF held an impromptu rally outside a San Francisco Apple store yesterday:
— EFF (@EFF) February 18, 2016
Recognize the Pattern: Exploiting Terror Attacks
At moments like this, it is important to step back and look at the big picture. Following the terror attacks in Paris and then San Bernardino, rights groups (including BORDC/DDF) warned that law enforcement agencies would try to capitalize on increased public fear of terrorism to push legal actions, and ultimately legislation, that weaken encryption and privacy, and expand surveillance (see this November 2015 article for more).
Public opinion is key: law enforcement agencies know that the public values privacy, and without the threat of terrorism they would struggle to make a case for why we should give up our personal data and security. As a top lawyer for the intelligence community wrote in private emails obtained by the Washington Post last year, “the legislative environment [for weakening encryption] is very hostile today [but] it could turn in the event of a terrorist attack or criminal event where strong encryption can be shown to have hindered law enforcement.”
Fight for the Future Campaign Director Evan Greer echoes this argument, and underscores the far reaching impact that the Apple’s compliance with the FBI order would have:
“Governments have been frothing at the mouth hoping for an opportunity to pressure companies like Apple into building backdoors into their products to enable more sweeping surveillance. It’s shameful that they’re exploiting the tragedy in San Bernardino to push that agenda … Security experts agree that any weakening or circumvention of security features on a phone puts everyone in danger. Encryption is what protects our airports, power plants, and hospitals. If the FBI succeeds in forcing Apple to help them hack into an iPhone, it will open the floodgates and set a dangerous precedent that will inevitably lead to more suffering and loss of life.” (Fight for the Future)
To learn more about rallies organized by Fight for the Future, visit their campaign website and spread the word on social media. Rallies are planned at Apple Stores nationwide on February 23rd at 5pm.
If you would like to learn more about the technical details of the FBI’s order, and exactly what Apple has been asked to do, these articles are a good place to start: